Vulnerability Disclosure  lets be honest
about motives shall we?

In the last ten years, weve seen endless debate about
the various merits and problems with vulnerability disclosure. Predictably,
the discussion has revolved around the technical details of the extremes: full
disclosure versus partial disclosure and all the shades of gray in between.
But one important part of the debate has been quietly ignored, amid the heat
and smoke  the question of motives. Motives are crucial
to our understanding because sometimes knowing why someone does something
is a great way of cutting through all the smoke and fog of debate and details.
So, lets talk about motivations. What can we learn?

Why would someone want to search for vulnerabilities
in someone elses software and publicize them? Well, there are a couple
of possibilities:

Sheer boredom  nothing better to do

Pure altruism  making the world a better place

Self-serving motives

I have trouble believing sheer boredom is what motivates
people to spend hours poring over source code, or attempting to reverse-engineer
applications. Whats more thought-provoking, a lot of "security researchers"
do it as part of their jobs. No, I cant accept boredom as the motive for
vulnerability research. Ive done code reviews  code reviews are
mind-wrenchingly boring. Nobody tries to cure boredom by doing code reviews!
No sensible employer pays employees just to do code reviews of other
peoples code, either. Remember, during the late 90s, "grey
hat hackers" like @Stakes analysts commanded tens of thousands of
dollars to do a security assessment of a piece of software on behalf of a vendor.
So, on one hand weve got people willing to pay big bucks for a service
and, on the other hand, weve got folks willing to perform that same service
for free. That doesnt add up, does it? Clearly, theres another purpose
at play.

What about altruism? Maybe these guys really are
doing it just for the sheer joy of helping people out! Maybe theyre doing
it to hone their skills and to make the cyber-world a better place. Maybe these
guys are candidates for cyber-sainthood. Theres just a small problem with
that logic: first off, a lot of their "subjects" wish their "benefactors"
wouldnt do that theyre doing. Secondly, theyre not asking
whether their "subjects" want any help. Imagine if you were
sitting down to eat a nice big carbohydrate-laden meal when some self-appointed
"diet researcher" without asking or even saying "good morning"
 ran up and stole your french fries in order to "help" you improve
your diet! There are social norms regarding how help is offered or solicited
and its not considered polite to help someone without a good understanding
of their situation unless its obviously an emergency and theres
no time to ask. Even so, society is replete with stories of good samaritans
who tackled undercover cops and foiled police operations  we consider
people who do things like that to be fools, not heroes. In other words, I don't
think that these self-appointed guardians of good code are welcomed by all of
their "beneficiaries" - which makes their behavior suspicious, indeed.

Another instructive point is to look at how society treats
heroes and good samaritans. Sometimes, a good samaritan who helps out a stranger
finds the media spotlight upon them. Society "rewards" these people
with their 15 minutes of fame and they get on with their lives. What strikes
me is that, often, when you see the kid who rescued a drowning toddler on TV,
theyre shy, or embarrassed at the attention, or theyll say something
self-effacing about how it was the right thing to do at the time and theyre
just glad everything worked out. Real heroes, it seems, dont hog
the limelight. Real heroes, it seems, dont issue press
releases or trumpet their achievements on the Herotraq mailing list. Unlike
the "security researchers." Altruism accepts that sometimes the adulation
of society puts heroes in the spotlight, but theyre just as happy to walk
away from the scene of their good deeds with the warm glow of knowing they helped
someone out. In fact, if someone ran around actively looking for people to help
and helping them whether they asked for it or not, wed probably get them
some psychotherapy or give them a swift kick in the pants. Somehow, "security
researchers" dont seem to fit the profile of pure do-gooders. Theyre
not in it for the quiet warm feeling of helping out.

In fact, "security researchers" that look for
vulnerabilities are often quite jealous of getting "credit" for what
they discover. Back when I was CTO at Network Flight Recorder, I periodically
got contacted by "security researchers" who had found new holes in
software and who wanted to notify me  and make sure they got proper credit
for their discovery. I remember several times it was hard to get a real idea
what, if anything, they had found, because they were afraid someone would steal
their credit. At this point, a light begins to dawn: The motives of security
researchers are based on getting credit and attention for their discoveries.
Well, why would someone do that?

The "security researchers" are doing it
to market themselves.

Well, we all really knew that all along, didnt
we? But that casts the situation in a completely different light. "Security
researchers" have managed to direct the debate towards the bits and bytes
of how releases are timed, and full versus partial disclosure, when the real
issue  that their motives are entirely self-serving
 is swept under the carpet.

Back when I was in the thick of the full disclosure debate,
I used to have "grey hats" come up to me and say, "Its
easy for you to say disclosure is a problem, youve already got
a great reputation." Thus, the real agenda comes out. Never mind the results
of the disclosure, never mind whether it hurts customers, or helps the industry
 the people who are doing disclosure are doing it as a cheap substitute
for marketing. If you strip away the thin veneer of self-justification, I think
its a legitimate question to ask whether disclosure for marketing
is a good idea. There are plenty of marketing venues that are less controversial
and may actually be cheaper. When you look at the companies that use disclosure
as their marketing vehicle, you can see that the timing of the disclosures is
also suspicious. Is it timed based on discovery, or are the disclosures timed
on an interval calculated to achieve the best marketing impact? I think its
all highly suspicious when I see a marketing-by-disclosure company releasing
a new vulnerability about once a month  and making sure that they get
quoted in all the newspapers they can as a result. The problem with marketing-by-disclosure
is that it rewards disclosing the most damaging possible attacks. The
all-time champions of marketing-by-disclosure are a group of bottom-feeders
known as eEye security. Their "chief hacking officer" is a masterful
media whore, who has gotten a tremendous amount of free press by doling out
vulnerabilities that have resulted in billions of dollars of damage to customer
networks, while smoothly working both sides of whatever controversy he can generate.
Anything for media attention! Screw the customer! Add insult to injury by taking
their money!

Disclosure's also a big win for the media, so they're happy to play the game. To tell the truth, I can't tell if the media buy the disclosure argument because:

They're stupid bastards

They're not stupid; they're just cynical bastards who are happy to have a nice stream of disasters to write about

After all, when have you seen the computer "technical" media write an article about a piece of software that has largely worked, been stable, secure, and reliable? From a standpoint of getting media coverage, writing a mediocre insecure product will get you more attention (thanks to guys like Eeye and NGS) than anything else you could do. I know, I know, complaining about negativity and bias in the media has gone out of fashion - but I can't help it.

Were complicit in this ridiculous game as long as
we allow its players to profit by it. Again, never mind whether disclosure is
good or not  were encouraging these attention hungry bottom-feeding
marketers to manipulate an entire industry for their own ends, and were
rewarding them with our dollars. What can we do about it? Turn them off. Ignore
them. Don't give them a microphone. Don't give them your money. I dont
buy or recommend products from companies that use disclosure as a marketing
tool, and neither should you.